DuckDuckGo: DOM XSS on 50x.html page on proxy.duckduckgo.com

Hi, I read the report about DOM XSS on 50x.html page https://hackerone.com/reports/405191. I decided to check some other subdomains to be sure. This link still executes javascript: https://proxy.duckduckgo.com/50x.html?e=&atb=test%22/%3E%3Cimg%20src=x%20onerror=alert%27test%27;%3E The following...

DuckDuckGo: DOM XSS on 50x.html page

Hello, The is a DOM XSS vulnerability on https://duckduckgo.com/50x.html, it seems like the sink is DIV.innerHTML and the source is location.search. The PoC url is: https://duckduckgo.com/50x.html?e=&atb=test%22/%3E%3Cimg%20src=x%20onerror=alertdocument.domain;%3E The code that is causing this XS...